Requirement 6 of PCI DSS v1.2 states that in order to be
compliant, an organization must: “Develop and maintain secure
systems and applications” “Unscrupulous individuals use security
vulnerabilities to gain privileged access to systems. Many of
these vulnerabilities are fixed by vendor- provided security
patches, which must be installed by the entities that manage the
[...]

Requirement 4 of PCI DSS v1.2 states that we must: “Encrypt
transmission of cardholder data across open, public networks”
Specifically, “Sensitive information must be encrypted during
transmission over networks that are easily accessed by malicious
individuals. Misconfigured wireless networks and vulnerabilities
in legacy encryption and authentication protocols can be
continued targets of malicious individuals who [...]

Requirement 2 of the PCI DSS v1.2 is: “Do not use vendor-supplied
defaults for system passwords and other security parameters”
Understanding that we’re limiting the discussion solely to MySQL
(OS, Network Devices, and other software will no doubt apply to
overall compliance), we can do this easily. The vendor-supplied
default MySQL 5.1.43 (they’re similar across [...]

It’s amazing how many companies still follow a mainly “perimeter
security” approach when it comes to controlling access to
sensitive information—their focus is on network security using
firewalls, advanced authentication options, and so on. Even with
such measures, it’s very common to setup strong barriers to the
outside world but very little by way of internal limits; most
internal people have some level of access to servers that store
and process sensitive data.

Well, there’s nothing wrong with pre-screening your stuff, or
having access to the sensitive information, or setting up
advanced …

Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.